| draft-ietf-lamps-cmp-updates-11.txt | draft-ietf-lamps-cmp-updates-12.txt | |||
|---|---|---|---|---|
| LAMPS Working Group H. Brockhaus | LAMPS Working Group H. Brockhaus | |||
| Internet-Draft D. von Oheimb | Internet-Draft D. von Oheimb | |||
| Updates: 4210, 5912, 6712 (if approved) Siemens | Updates: 4210, 5912, 6712 (if approved) Siemens | |||
| Intended status: Standards Track 30 June 2021 | Intended status: Standards Track 9 July 2021 | |||
| Expires: 1 January 2022 | Expires: 10 January 2022 | |||
| Certificate Management Protocol (CMP) Updates | Certificate Management Protocol (CMP) Updates | |||
| draft-ietf-lamps-cmp-updates-11 | draft-ietf-lamps-cmp-updates-12 | |||
| Abstract | Abstract | |||
| This document contains a set of updates to the syntax and transport | This document contains a set of updates to the syntax and transport | |||
| of Certificate Management Protocol (CMP) version 2. This document | of Certificate Management Protocol (CMP) version 2. This document | |||
| updates RFC 4210 and RFC 6712. | updates RFC 4210 and RFC 6712. | |||
| The aspects of CMP updated in this document are using EnvelopedData | The aspects of CMP updated in this document are using EnvelopedData | |||
| instead of EncryptedValue, clarifying the handling of p10cr messages, | instead of EncryptedValue, clarifying the handling of p10cr messages, | |||
| improving the crypto agility, as well as adding new general message | improving the crypto agility, as well as adding new general message | |||
| skipping to change at page 1, line 48 ¶ | skipping to change at page 1, line 48 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 1 January 2022. | This Internet-Draft will expire on 10 January 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 38 ¶ | skipping to change at page 2, line 38 ¶ | |||
| 2.4. New Section 5.1.1.3. - RootCaCert . . . . . . . . . . . . 7 | 2.4. New Section 5.1.1.3. - RootCaCert . . . . . . . . . . . . 7 | |||
| 2.5. New Section 5.1.1.4. - CertProfile . . . . . . . . . . . 8 | 2.5. New Section 5.1.1.4. - CertProfile . . . . . . . . . . . 8 | |||
| 2.6. Update Section 5.1.3.1. - Shared Secret Information . . . 8 | 2.6. Update Section 5.1.3.1. - Shared Secret Information . . . 8 | |||
| 2.7. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 8 | 2.7. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 8 | |||
| 2.8. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 9 | 2.8. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 9 | |||
| 2.9. Update Section 5.3.4. - Certification Response . . . . . 11 | 2.9. Update Section 5.3.4. - Certification Response . . . . . 11 | |||
| 2.10. Update Section 5.3.18. - Certificate Confirmation | 2.10. Update Section 5.3.18. - Certificate Confirmation | |||
| Content . . . . . . . . . . . . . . . . . . . . . . . . 12 | Content . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 12 | 2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 12 | |||
| 2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key | 2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key | |||
| Pair Types . . . . . . . . . . . . . . . . . . . . . . . 12 | Pair Types . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13 | 2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13 | |||
| 2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 13 | 2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 13 | |||
| 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 13 | 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 14 | |||
| 2.16. New Section 5.3.19.16 - Certificate Request Template . . 14 | 2.16. New Section 5.3.19.16 - Certificate Request Template . . 14 | |||
| 2.17. Update Section 5.3.22 - Polling Request and Response . . 15 | 2.17. Update Section 5.3.22 - Polling Request and Response . . 16 | |||
| 2.18. Update Section 7 - Version Negotiation . . . . . . . . . 16 | 2.18. Update Section 7 - Version Negotiation . . . . . . . . . 16 | |||
| 2.19. Update Section 7.1.1. - Clients Talking to RFC 2510 | 2.19. Update Section 7.1.1. - Clients Talking to RFC 2510 | |||
| Servers . . . . . . . . . . . . . . . . . . . . . . . . 17 | Servers . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 2.20. Update Section 9 - IANA Considerations . . . . . . . . . 17 | 2.20. Update Section 9 - IANA Considerations . . . . . . . . . 17 | |||
| 2.21. Update Appendix B - The Use of Revocation Passphrase . . 19 | 2.21. Update Appendix B - The Use of Revocation Passphrase . . 19 | |||
| 2.22. Update Appendix C - Request Message Behavioral | 2.22. Update Appendix C - Request Message Behavioral | |||
| Clarifications . . . . . . . . . . . . . . . . . . . . . 19 | Clarifications . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 2.23. Update Appendix D.1. - General Rules for Interpretation of | 2.23. Update Appendix D.1. - General Rules for Interpretation of | |||
| These Profiles . . . . . . . . . . . . . . . . . . . . . 20 | These Profiles . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 20 | 2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 21 | |||
| 2.25. Update Appendix D.4. - Initial Registration/Certification | 2.25. Update Appendix D.4. - Initial Registration/Certification | |||
| (Basic Authenticated Scheme) . . . . . . . . . . . . . . 21 | (Basic Authenticated Scheme) . . . . . . . . . . . . . . 21 | |||
| 3. Updates to RFC 6712 - HTTP Transfer for the Certificate | 3. Updates to RFC 6712 - HTTP Transfer for the Certificate | |||
| Management Protocol (CMP) . . . . . . . . . . . . . . . . 21 | Management Protocol (CMP) . . . . . . . . . . . . . . . . 21 | |||
| 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 21 | 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 21 | |||
| 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 21 | 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 22 | |||
| 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 22 | 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 22 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 23 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 23 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 25 | 7.2. Informative References . . . . . . . . . . . . . . . . . 25 | |||
| Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 25 | Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 26 | |||
| A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 | A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 26 | |||
| A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 38 | A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 39 | |||
| Appendix B. History of changes . . . . . . . . . . . . . . . . . 51 | Appendix B. History of changes . . . . . . . . . . . . . . . . . 51 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| 1. Introduction | 1. Introduction | |||
| While using CMP [RFC4210] in industrial and IoT environments and | While using CMP [RFC4210] in industrial and IoT environments and | |||
| developing the Lightweight CMP Profile | developing the Lightweight CMP Profile | |||
| [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | |||
| identified in the original CMP specification. This document updates | identified in the original CMP specification. This document updates | |||
| RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | |||
| skipping to change at page 8, line 15 ¶ | skipping to change at page 8, line 15 ¶ | |||
| 2.5. New Section 5.1.1.4. - CertProfile | 2.5. New Section 5.1.1.4. - CertProfile | |||
| Section 5.1.1 of RFC 4210 [RFC4210] defines the PKIHeader and id-it | Section 5.1.1 of RFC 4210 [RFC4210] defines the PKIHeader and id-it | |||
| OIDs to be used in the generalInfo field. This section introduces | OIDs to be used in the generalInfo field. This section introduces | |||
| id-it-certProfile. | id-it-certProfile. | |||
| Insert this section after Section 5.1.1.3: | Insert this section after Section 5.1.1.3: | |||
| 5.1.1.4. CertProfile | 5.1.1.4. CertProfile | |||
| This is used by the EE to indicate a specific certificate profile, | This is used by the EE to indicate specific certificate profiles, | |||
| e.g., when requesting a new certificate or a certificate request | e.g., when requesting a new certificate or a certificate request | |||
| template, see Section 5.3.19.16. | template, see Section 5.3.19.16. | |||
| id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | |||
| CertProfileValue ::= UTF8String | CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String | |||
| When used in a ir/cr/kur/genm, the value MUST NOT contain more | ||||
| elements than the number of CertReqMsg or InfoTypeAndValue elements | ||||
| and the certificate profile names refer to the elements in the given | ||||
| order. | ||||
| When used in a p10cr, the value MUST NOT contain multiple certificate | ||||
| profile names. | ||||
| 2.6. Update Section 5.1.3.1. - Shared Secret Information | 2.6. Update Section 5.1.3.1. - Shared Secret Information | |||
| Section 5.1.3.1 of RFC 4210 [RFC4210] describes the MAC based | Section 5.1.3.1 of RFC 4210 [RFC4210] describes the MAC based | |||
| protection of a PKIMessage using the algorithm id-PasswordBasedMac. | protection of a PKIMessage using the algorithm id-PasswordBasedMac. | |||
| Replace the first paragraph with the following text: | Replace the first paragraph with the following text: | |||
| In this case, the sender and recipient share secret information with | In this case, the sender and recipient share secret information with | |||
| sufficient entropy (established via out-of-band means or from a | sufficient entropy (established via out-of-band means or from a | |||
| skipping to change at page 37, line 13 ¶ | skipping to change at page 37, line 35 ¶ | |||
| -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} | -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} | |||
| -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent | -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent | |||
| -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] | -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] | |||
| -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} | -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} | |||
| -- CertReqTemplateValue ::= CertReqTemplateContent | -- CertReqTemplateValue ::= CertReqTemplateContent | |||
| -- - id-it-certReqTemplate added in CMP Updates [thisRFC] | -- - id-it-certReqTemplate added in CMP Updates [thisRFC] | |||
| -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} | -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} | |||
| -- RootCaCertValue ::= CMPCertificate | -- RootCaCertValue ::= CMPCertificate | |||
| -- - id-it-rootCaCert added in CMP Updates [thisRFC] | -- - id-it-rootCaCert added in CMP Updates [thisRFC] | |||
| -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | |||
| -- CertProfileValue ::= UTF8String | -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String | |||
| -- - id-it-certProfile added in CMP Updates [thisRFC] | -- - id-it-certProfile added in CMP Updates [thisRFC] | |||
| -- | -- | |||
| -- where | -- where | |||
| -- | -- | |||
| -- id-pkix OBJECT IDENTIFIER ::= { | -- id-pkix OBJECT IDENTIFIER ::= { | |||
| -- iso(1) identified-organization(3) | -- iso(1) identified-organization(3) | |||
| -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} | -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} | |||
| -- and | -- and | |||
| -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} | -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} | |||
| -- | -- | |||
| skipping to change at page 50, line 4 ¶ | skipping to change at page 50, line 22 ¶ | |||
| -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} | -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} | |||
| -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent | -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent | |||
| -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] | -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] | |||
| -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} | -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} | |||
| -- CertReqTemplateValue ::= CertReqTemplateContent | -- CertReqTemplateValue ::= CertReqTemplateContent | |||
| -- - id-it-certReqTemplate added in CMP Updates [thisRFC] | -- - id-it-certReqTemplate added in CMP Updates [thisRFC] | |||
| -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} | -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} | |||
| -- RootCaCertValue ::= CMPCertificate | -- RootCaCertValue ::= CMPCertificate | |||
| -- - id-it-rootCaCert added in CMP Updates [thisRFC] | -- - id-it-rootCaCert added in CMP Updates [thisRFC] | |||
| -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} | |||
| -- CertProfileValue ::= UTF8String | -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String | |||
| -- - id-it-certProfile added in CMP Updates [thisRFC] | -- - id-it-certProfile added in CMP Updates [thisRFC] | |||
| -- | -- | |||
| -- where | -- where | |||
| -- | -- | |||
| -- id-pkix OBJECT IDENTIFIER ::= { | -- id-pkix OBJECT IDENTIFIER ::= { | |||
| -- iso(1) identified-organization(3) | -- iso(1) identified-organization(3) | |||
| -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} | -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} | |||
| -- and | -- and | |||
| -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} | -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} | |||
| -- | -- | |||
| skipping to change at page 51, line 36 ¶ | skipping to change at page 52, line 5 ¶ | |||
| -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | |||
| id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | |||
| END | END | |||
| Appendix B. History of changes | Appendix B. History of changes | |||
| Note: This appendix will be deleted in the final version of the | Note: This appendix will be deleted in the final version of the | |||
| document. | document. | |||
| From version 11 -> 12: | ||||
| * Extended Section 2.5 and the ASN.1 modules in Appendix A to allow | ||||
| a sequence of certificate profiles in CertProfileValue (see thread | ||||
| "id-it-CertProfile in draft-ietf-lamps-cmp-updates") | ||||
| From version 10 -> 11: | From version 10 -> 11: | |||
| * Add Section 2.10 to add an additional hashAlg field to the | * Add Section 2.10 to add an additional hashAlg field to the | |||
| CertStatus type to support certificates signed with a signature | CertStatus type to support certificates signed with a signature | |||
| algorithm not explicitly indicating a hash algorithm in the | algorithm not explicitly indicating a hash algorithm in the | |||
| AlgorithmIdentifier (see thread "Hash algorithm to us for | AlgorithmIdentifier (see thread "Hash algorithm to us for | |||
| calculating certHash") | calculating certHash") | |||
| * Added newly registered OIDs and temporarily registered URI suffix | * Added newly registered OIDs and temporarily registered URI suffix | |||
| * Exchanged the import of CertificationRequest from RFC 2986 to the | * Exchanged the import of CertificationRequest from RFC 2986 to the | |||
| definition from RFC 6402 Appendix A.1 (see thread "CMP Update of | definition from RFC 6402 Appendix A.1 (see thread "CMP Update of | |||
| End of changes. 16 change blocks. | ||||
| 18 lines changed or deleted | 32 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||